Forum menu
Given coop just managed to send me a new card in the wrongly spelled name, I wouldn’t use them as a bastion of security… :-/
If I were you, I'd be more worried about the potential threat of removing cash completely out of circulation if and when we go to negative interest rates. EU has already begun this process by removing 500 Euro notes...
Apparently they haven't yet, but are considering it. Not particularly surprised, it's widely known/suspected round here in Spain that the only people with 500€ notes are corrupt business(wo)men/politicians.
I think it's best put this way -
If was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they'd all be at it.
Brooess, maybe you can answer me a question?
If as a retailer a contactless card is fraudulently used and the card owner notifies the bank does the retailer still get paid?
The credit card companies are really pushing contactless by offering lower transaction fees , I'm just wondering how it benefits the card company.
I don't see why the retailer wouldn't get their cash but I don't know the rules for sure - check with your Acquirer. I suspect they would have to reimburse the retailer otherwise there'd be limited takeup of contactless.
Contactless benefits the issuing bank because it means consumers will use card instead of cash - they don't get revenue from a cash transaction, and neither do the acquiring bank.
If was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they'd all be at it.
Correct. There are literally millions more contactless transactions per day on TFL than there were just two years ago after cash was banned on the busses, and the big push to contactless by TFL last year. We would quite definitely know if there'd been a big rise in fraud as a result
I wouldn't be surprised if there's some clever way you could get done/cloned/skimmed or whatever through contactless, and that real people might have lost actual money. But for me it's a long way from being enough of a concern that I'd actually take extra steps to secure against it.
that I'd actually take extra steps to secure against it.
Not even a RFID safe wallet?
Not even a RFID safe wallet?
I don't even have a non-RFID safe wallet, so that kind of investment is far too much for me 😉
We would quite definitely know if there'd been a big rise in fraud as a result
unless it was masked by the massive increase in contactless activity. There may have been a big increase in the amount of fraud, but its percentage of all contactless activity would be shrinking.
I used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.
I won't have a contact less card for this reason.
He went rather white and made a phone call. They still launched the cards.
was that the reason you used to work for Barclays ?
When I lived in Australia they had contactless a few years before it was common over here and and before PIN codes were mandatory.
I had over AU$6000 dollars stolen from a bank account and the bank reckoned it was from an RFID skim / clone of my card from the contactless that was then used to systematically empty the account.
cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal
You used a new technology to clone another new technology during its presentation? You'll forgive me if I'm sceptical.
Assuming you did do that, I'd be very interested to know if you still could.
the bank reckoned it was from an RFID skim / clone of my card from the contactless
By "the bank reckoned," do you mean that some random person working at the bank guessed? Even if that scenario is exactly what happened, I'm at a loss as to how the bank could possibly ascertain that beyond speculation.
milky1980 are your hands registered with the government as lethal weapons? Just wondering...
You used a new technology to clone another new technology during its presentation? You'll forgive me if I'm sceptical.
I was thinking exactly the same thing.
How did you clone the three digit code off the back of the card onto your phone ?
It's hardly a very scalable crime as you need an account linked to a card payment machine from a bank, which makes the perpetrator easily traceable.
I used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.I won't have a contact less card for this reason.
Would you mind telling us what year this was? We can easily check when Barclays launched contactless. And also, maybe you could tell us what phone it was and we can do a little research to see if NFC was available on that handset model at that time...
There have been a lot of media scare stories about contactless over the years, but funnily enough there's been very few anecdotes or data since the massive increase in transactions seen from 2014 onwards which sugggests any increase in rates of fraud... with a massive increase in use, you'd expect a commensurate increase in fraud, if fraud was in fact an issue...
Barclays launched contactless cards in March 2009.
Fist android phone with NFC launched in 2010 🙂
[img] 
[/img]
Next you'll be telling me that Barclays PingIt doesn't have any flaws...
Next you'll be telling me that Barclays PingIt doesn't have any flaws...
Next you'll be telling us that cash is 100% safe from criminals 🙂
The point is that there's no evidence so far that Contactless fraud rates are significantly higher than Chip and PIN, not that it's flawless... Of course there's a risk, that's why the £30 limit was set. But the calculation was that the extra gain for the banks in revenues from additional card transactions which were previously made with cash would be greater than the costs of any fraud...
Simple solution to this problem, carry more than one contactless card. Tried a few times to pay with my wallet without removing a card, simply doesn't work. So unless they take out my wallet, extract a card, and then skim it; it's not going to happen (and I think I that point I might notice).
I dont have contactless payment
The luddite fix is foolproof
Latest issues of my debit and credit cards have all been contactless without me requesting it.
So you may be getting one anyway.
As I understand it RFID scanning and cloning is pretty trivial. What milky describes sounds technically feasible.
How did you clone the three digit code off the back of the card onto your phone ?
Why would he need that? You don't need any codes for contactless payments - that's kind of the point.
So, who's offering the merchant services to these terminals? I can't believe the merchant account would be kept open for long with lots of contested contactless payments and no payments verified by chip and pin.
The whole thing sounds very unlikely to me.
We now have to pay the credit card people some money and fill in a form saying we won't be naughty so everyone can rest easy.
I don't know about card and RFID but I stayed in a hotel in Oslo that used NFC keycards for the rooms. I used my Nexus 5 to see if I could read a card and it worked. I then set it to delete and managed to wipe a colleagues card that he put in his back pocket. Did it a few times and he was back and forward to reception to get his 'faulty' card replaced. Minutes of fun. Not beyond belief that I could have copied rather than wiped I guess.
How did you clone the three digit code off the back of the card onto your phone ?
Why would he need that? You don't need any codes for contactless payments - that's kind of the point.
Fair enough, I misunderstood and thought he claimed to use the cloned card details to put a sale through manually on the terminal.
Doesn't matter either way, I still don't believe it happened 🙂
So, who's offering the merchant services to these terminals?
That's the tricky bit, but given how prevalent Chip&Pin fraud is then there must be some nefarious ways around it. I'm guessing they get set up as merchants, do a bunch of fraudulent activity then scarper? Not sure how they avoid a very obvious paper trail?
Doesn't matter either way, I still don't believe it happened
It's technically very feasible - read RFID data from card onto your device, then present that same RFID data. That part isn't tricky, it's the merchant bit that is.
If I were one of these guys on the tube I'd set myself as a pop-up coffee stand then skim people on the tube for a relatively small amount. Even folk who check their accounts carefully are unlikely to pick up on a sub £5 transaction at a cafe.
It's technically very feasible - read RFID data from card onto your device, then present that same RFID data. That part isn't tricky
It is when the phone tech wasn't available until the following year.
Apart from the lack of a time machine, I'm sure it's a simple task.
And I'm pretty sure you need Host Card Emulation as well as NFC to be able to read/re-present secure credentials without using a hardware based secure element (SIM or phone). Post-2012 for HCE availability.
So... what was this magic phone you had in 2010 that had a feature that hadn't been invented yet?
Essentially, the banks accept there will be fraud, but if a merchant presents transactions that get flagged by customer as fraudulent in any significant number, I don't think the bank would actually pay up.
Would have been around he end of 2007 as I quit in the beginning of 2008 (refused to sell credit cards and stuff to people who couldn't afford it etc anymore). As for the phone, it was a company supplied no-name thing with various attachments for stuff, the reader was an attachment used for reading the new cards. More a small computer than a phone really. Could also read the login cards use for signing into the till/POD machines. I just used the read/write thing on it to clone his card.
[quote=zippykona ]I've just tried my life venture wallet on our contactless machine and I couldn't take any money. So that works.
Edit...our machine needs the card about 3mm away before it works. Not sure if there are super powerful machines out there.
Hmm, reading [url= http://forum.xda-developers.com/showpost.php?p=21408035&postcount=34 ]this[/url] it appears the hack to make something with much better range is fairy simple, so I certainly wouldn't rely on lack of range for security - though of course you do then have the mentioned issue of multiple responses confusing the device.
wrecker - Member
that I'd actually take extra steps to secure against it.Not even a RFID safe wallet?
What's the point? You then have to fanny around taking the card out of the wallet every time you want to use it, in which case you may as well just stick it in the slot.
I just use my phone now anyway, that can't be spoofed by anything.
What's the point? You then have to fanny around taking the card out of the wallet every time you want to use it
As I have 3 rfid cards it's always best to take it out, still faster and easier than entering a pin and hardly a hassle.
What makes you so sure your phone is safe? Software can always be compromised.
I used a contactless card in a familiar place recently, where it was an almost-daily event. It didn't work. The young lady behind the till said I needed to use it conventionally, with the pin, as a check that I'm really me. I think I passed. Maybe the system checks at intervals.
What's the point? You then have to fanny around taking the card out of the wallet every time you want to use it,
I do that now, and only have one contactless card 😳
Never tried it with the card in the wallet.
The photo that's going round isn't exactly fake but it isn't what it claims to be (bloke on the Underground / [insert your local town here]). It's social media spam based on generating fear. Actually comes from an article about this in Russia, and anyway general conclusion is this is very rare.
http://www.snopes.com/fraud/identity/pickpocket.asp
Makes sense deadkenny. I think we have established you can read and clone the data with a modern smartphone which would be a lot less conspicuous than walking about with a POS terminal.
It's a two way communication with the chip and only certain information can be transferred. You can generate transactions, but not clone the chip itself. The consumer is not liable for contactless fraud and will get the money back. That's why banks limit the transactions to limit their liability.
Plus it will force a PIN request with a certain number of transactions, possibly more so in quick succession.
Reading with a smart phone, yes you can get apps to read the public data. That doesn't give you much. Just identity of the chip and who made it essentially. I've messed about doing this while developing some RFID related software and was just curious if it would read my cards. Sure enough it did. Nothing of use though.
Interesting. I've not worked on any contactless systems yet so good to get a developer perspective. Smartphones can act as POS terminals can't they, so presumably they can do the two-way communication with the cards for a challenge/response system?
That does rule out simple cloning though (and milky's story).
By "the bank reckoned," do you mean that some random person working at the bank guessed? Even if that scenario is exactly what happened, I'm at a loss as to how the bank could possibly ascertain that beyond speculation.
I would think they would know what kind of transaction was usde to process the charge but I dont know enough about banking to speculate. However to be honest I reckon the 200 odd consecutive charges all variously a few Cents under the maximum contactless payment limit gave it away.
Well deadkenny seems to know his stuff, and I suppose if he is happy that skimming is not a risk then I should be too.
Actually to clarify, it's more the chips in credit cards don't expose enough information to clone the card beyond card number and expiry which you could get traditional ways, and a POS device typically will read what it needs with one way communication and a bunch of encryption.
Everything else on the card needs two way to work, and depends on the card chip I believe whether it supports it.
Mobiles with contactless payment I think work two way, although depends again on the phone. Some require the phone to be working, relevant app and some communication back and forth, like Apple's pay thing. Others can work without the phone being powered up and rely on the NFC chip that's usually in the battery, which links to some data in a special payment enabled SIM. I believe EE's payment stuff works this way.